Samba is a software package that comes with Fedora and Red Hat Linux systems. Samba enables you to share file systems and printers on a network with computers that use the Server Message Block (SMB) protocol. SMB is the protocol that is delivered with Windows operating systems for sharing files and printers. Although you can’t always count on NFS being installed on Windows clients (unless you install it yourself), SMB is always available (with a bit of setup).
On Fedora, the Samba software package contains a variety of daemon processes, administrative tools, user tools, and configuration files. To do basic Samba configuration, you can start with the Samba Server Configuration window. This window provides a graphical interface for configuring the server and setting directories to share.
Most of the Samba configuration you do ends up in the /etc/samba/smb.conf file. If you need to access features that are not available through the Samba Server Configuration window, you can edit /etc/samba/smb.conf by hand or use SWAT, a Web-based interface to configure Samba.
Daemon processes consist of smbd (the SMB daemon) and nmbd (the NetBIOS name server). The smbd daemon makes the file sharing and printing services you add to your Linux system available to Windows client computers. The client computers this package supports include:
Windows for Workgroups
MS Client 3.0 for DOS
Dave for Macintosh Computers
Samba for Linux
As for administrative tools for Samba, you have several shell commands at your disposal. You can check your configuration file using the testparm and testprns commands. The smbstatus command tells you which computers are currently connected to your shared resources. Using the nmblookup command, you can query for NetBIOS names (the names used to identify host computers in Samba).
Although Samba uses the NetBIOS service to share resources with SMB clients, the underlying network must be configured for TCP/IP. Although other SMB hosts can use TCP/IP, NetBEUI, and IPX/SPX to transport data, Samba for Linux supports only TCP/IP. Messages are carried between host computers with TCP/IP and are then handled by NetBIOS.
To see if Samba is installed on your Fedora system, type the following:
# rpm -qa | grep samba samba-* system-config-samba samba-swat-* samba-common-* samba-client-*
You should see the name of each of the five packages, followed by the version number (I represented version numbers with an asterisk). Although not installed with all installation groups in Fedora, the packages that make up Samba all included on the DVD that comes with this book. To install Samba, insert the DVD. Then run the following (skipping the first step if it mounts automatically):
# mount /media/cdrecorder # cd /media/cdrecorder /Fedora/RPMS # rpm -Uhv samba* # cd ; umount /mnt/cdrom
Before you start trying to configure Samba, read the README file (located in /usr/share/doc/samba*). It provides a good overview of the SMB protocol and Samba.
The Samba Server Configuration window enables you to do a basic Samba configuration and then identify which directories you want to share. To make this procedure useful, I’m setting up a particular type of shared environment (which you can modify later if you prefer). Here are the characteristics:
A single local area network: Contains multiple Windows and Linux machines.
User-level security: Any user who wants to get to the shared Samba files must have a valid login and password on the Linux Samba server.
Encrypted passwords: Many clients use encrypted passwords with Samba (SMB) by default. I’ll describe how to turn on encrypted passwords for clients that don’t use encrypted passwords.
A guest user account: The guest user account will be useful later, so you can set up Samba to let users without special accounts use the server’s printers via Samba.
The following procedure describes how to configure Samba and create a shared directory in Samba:
To open the Samba Server Configuration window, click System Settings ® Server Settings ® Samba. The Samba Server Configuration window opens. (You will likely need to enter the root password.)
Click Preferences ® Server Settings. The Server Settings window appears, as shown in Figure 18-3.
Figure 18-3: Define the workgroup and description for your Samba server.
Type the workgroup name (to match that of other computers with which you want to share files) and a short description.
Click the Security tab. A window appears like the one shown in Figure 18-4.
Figure 18-4: Fill in Security information for your Samba server.
Provide the following information for the fields on the Security tab and click OK:
Authentication Mode — Select User, Share, Server, ADS, or Domain. For this example, I selected User. (See the “Security options” section later in this chapter for details on each of the authentication modes.)
Authentication Server — This field is only valid if your Samba server is configured to use Server or Domain security. It identifies the server (NetBios name) that will be used to authenticate the user name and password the Samba client enters to gain access to this Samba server. With user authentication, passwords are checked on the Samba server (in this example, therefore, this field is blank.)
Encrypt Passwords — Select Yes (to expect clients to send encrypted passwords) or No (to expect clear-text password). See the section on Samba clients later in this chapter to determine how to configure clients to use encrypted passwords.
Guest Account — Set this field to a user name that you want assigned to requests from anonymous users. Even with User mode security set globally, you can assign guest access to particular Samba shares (such as printers).
With User mode security (which is being used in this example), any user who wants to access a Samba share must have a regular user account on the Linux system. (Refer to Chapter 11 for information on adding user accounts.)
To add a user as a Samba user (that is, one who can access your Samba server), select Preferences ® Samba Users. The Samba Users window appears.
Click Add User. The Create New Samba User window appears.
Provide information for the following fields in the Create New Samba User window and click OK:
Unix Username — Click this box, then select the Linux user name to which you want to give access to the Samba server.
Windows Username — This is the user name provided by the user when he or she requests the shared directory. (Often, it is the same as the Unix username.)
Samba Password — Type the Samba password, then retype it into the Confirm Samba Password field.
Repeat the previous step for each user you want to access the Samba shared directory.
Now that you have configured the default values for your Samba server, add a directory to share by clicking File ® Add Share. The Create Samba Share window appears.
Fill in the following fields shown in the Create Samba Share window:
Directory — Type the name of the directory you want to share. For example, you might want to share a user’s home directory, such as /home/chris.
Description — Type any description you like of the Shared directory.
Basic Permissions — Select either Read-only or Read/Write. For Read-only, files can be viewed, but not changed, on the shared directory. For Read/Write, the user is free to add, change, or delete files, provided he or she has Linux file access to the particular file.
Click the Access tab, select one of the following choices for access to the share, and then click OK:
Only allow access to specific users — Click here, then choose which users will be allowed to access the shared directory. For example, if you are sharing a user’s directory (such as /home/chris), you probably want to restrict access to that directory to the directory’s owner (for example, chris). Read and write access to particular files and directories are determined by the Linux ownership and group assigned to them.
Allow access to everyone — Choose this option if you want to allow anyone to access this directory. (All users will have privileges assigned to the guest user when accessing the directory.)
After you click OK, Samba is started and the new directory is immediately available. You can close the Samba Server Configuration window.
Although Samba should be running at this point, you probably need to set Samba to start automatically every time you reboot Linux. To do that, type the following as root user in a Terminal window:
# chkconfig smb on
You can repeat the steps for adding a Samba shared directory for every directory you want to make available on your network. At this point, you can either:
Go through your Samba server settings in more detail (as described in the “Configuring Samba with SWAT” section) to understand how you might want to further tune your Samba server.
Try accessing the shared directories you just created from a client computer on your network.
If you cannot open the shared directory you just configured from a Windows computer or other Linux computer on your LAN, you are probably experiencing one of the following problems:
The client isn’t supplying a valid user name and password.
The client isn’t supplying an encrypted password.
The quick way around these problems is to use only share-level security (which, of course, throws your security right out the window). The other solution is to get passwords up-to-date and make sure that clients are using encrypted passwords (as described in the “Setting up Samba clients” section later in this chapter).
The Samba Web Administration Tool (SWAT) is a Web-based interface for configuring Samba. While it's not quite as easy to use as the Samba Server Configuration window, it does offer more options for tuning Samba and Help descriptions for each option.
Both SWAT and the Samba Server Configuration window configure Samba by modifying the /etc/samba/smb.conf file. Different GUI tools can overwrite each other’s settings, sometimes in a way that causes the other tool not to work.
In general, it’s best to make a backup copy of your files before switching GUI tools. Eventually, you should choose one tool and stick with it.
Before you can use SWAT, you must do some configuration. To set up SWAT to run from your browser, follow these steps:
To turn on the swat service, type the following, as root user, from a Terminal window:
# chkconfig swat on
To pick up the change to the swat service, restart the xinetd start-up script as follows:
# service xinetd restart
When you have finished this procedure, use the SWAT program, described in the next section, to configure Samba.
You can run the SWAT program by typing the following URL in your local browser:
At this point, the browser will prompt you for a user name and password. Enter the root user name and password. The SWAT window should appear, as shown in Figure 18-5.
Figure 18-5: Use SWAT from your browser to manage your Samba configuration.
Instead of running SWAT from your local browser, you can run it from another computer on the network by substituting the server computer’s name for localhost. (To allow computers besides localhost to access the swat service, you must change or remove the only_from = 127.0.0.1 line from the /etc/xinetd.d/swat file and restart the xinetd service.)
The rest of this section describes how to use SWAT to create your configuration entries (in /etc/samba/smb.conf) and to work with that configuration.
Any time you use a GUI to change a plain-text configuration file (as you do with SWAT), you may lose some of the information that you put in by hand. In this case, SWAT deletes comment lines and rearranges other entries. To protect changes you have made manually, make a backup copy of your /etc/samba/smb.conf file before you edit it with SWAT.
A group of global settings affects how file and print sharing are generally accomplished on a Samba server. They appear under the [global] heading in the /etc/samba/smb.conf file. To edit global variables, click the GLOBALS button on the SWAT window.
Seven option types are available: base options, security options, logging options, tuning, printing options, browse options, and WINs options. To view and modify your global Samba server settings, click the GLOBALS button. Then add the following options.
Each option shown relates to the exact parameters used in the /etc/samba/smb.conf file. You can refer to the smb.conf man page (type man smb.conf) to get more information on these parameters.
The following options relate to basic information associated with your Samba server:
workgroup — The name of the workgroup associated with the group of SMB hosts. By default in Fedora, the value for this field is MYGROUP.
realm — If you are using kerberos authentication, this value indicates the kerberos realm to use. Typically, that is reflected by the host name of the server providing the service.
netbios name — The name assigned to this Samba server. You can use the same name as your DNS host name or leave it blank, in which case the DNS host name is used automatically.
netbios alias —This enables you to set a way of referring to a host computer (an alias) that is different from the host’s TCP/IP DNS name.
server string — A string of text identifying the server. This name appears in places such as the printer comment box. By default, it says Samba and the version number.
interfaces — Lets you set up more than one network interface. This enables Samba to browse several different subnetworks. The form of this field can be IP Address/Subnetwork Mask. Or, you could identify a network interface (such as eth0 for the first Ethernet card on your computer). For example, a Class C network address may appear as 192.168.24.11/255.255.255.0.
Of the security options settings, the first option (security) is the most important one to get right. It defines the type of security used to give access to the shared file systems and printers to the client computers. (To see some of the fields described here, you need to click the Advanced view.)
security — Sets how password and user information is transferred to the Samba server from the client computer. As noted earlier, it’s important to get this value right. The default value for security (security=user) is different than the default value for security (security=share) in pre-2.0 versions of Samba. If you are coming from an earlier version of Samba and clients are failing to access your server, this setting is a good place to start. Here are your options:
user — The most common type of security used to share files and printers to Windows 95/98/2000 and Windows NT clients. It is the default set with Samba in the current release. This setting is appropriate if users are doing a lot of file sharing (as opposed to a Samba server used mostly as a print server). It requires that a user provide a user name/password before using the server.
The easiest way to get this method working is to give a Fedora user account to every client user who will use the Fedora Samba server. This provides basically the same file permissions to a user account through Samba as the same user would get if he or she were logged in directly to Linux.
Apparently, there is a bug in Windows for Workgroups that causes the password that the user types in to be ignored from a “connect drive” dialog box. Instead, Windows uses the user name and password in effect for the user’s current Windows login session. One way around this problem, although it is clumsy from a security standpoint, is to assign the same user name/password combination for each user on the Fedora computer that they use in Windows.
share — The share value for security works best for just print sharing or for providing file access that is more public (guest sharing). A client doesn’t need to provide a valid user name and password to access the server. However, the user will typically have a "guest" level of permission to access and change files. See the sidebar describing guest accounts for further information.
server — The security option that, from the client’s point of view, is the same as user security, in that the client still has to provide a valid user name/password combination to use the Samba server at all. The difference is on the server side. With server security, the user name/password is sent to another SMB server for validation. If this fails, Samba will try to validate the client using user security.
domain — This security option also, from the client’s point of view, looks the same as user security. This setting is used only if the Samba server has been added to a Windows NT domain (using the net join command). When a client tries to connect to the Samba server in this mode, its user name and password are sent to a Windows NT Primary or Backup Domain controller. This is accomplished the same way that a Windows NT server would perform validation. Valid Linux user accounts must still be set up.
encrypt passwords — Controls whether encrypted passwords can be negotiated with the client. This is on (Yes) by default. For domain security, this value must be Yes. Later versions of Windows NT (4.0 SP3 or later) and Windows 98 and Windows 2000 expect encrypted passwords to be on. (See the “Setting up Samba clients” section for information on getting clients to use encrypted passwords.)
update encrypted — Allows users who log in with a plain-text password to automatically have their passwords updated to an encrypted password when they log in. Normally, this option is off. It can be turned on when you want an installation using plain-text passwords to have everyone updated to encrypted password authentication. It saves users the trouble of running the smbpasswd command directly from the server. After everyone is updated, this feature can be turned off. When this option is on, the encrypt passwords option should be set to no.
obey pam restrictions — Turn this on (Yes) if you want to use PAM for account and session management. Even if activated, PAM is not used if the encrypted passwords feature is turned on (encrypt passwords = yes).
pam password change — Indicates to use the PAM password change control flag for Samba. If this is on (Yes), SMB clients will use PAM instead of the program listed in the Password Program value for changing SMB passwords.
passwd program — Indicates which password program to use to change Linux user passwords. By default, /usr/bin/passwd is used, with the current user name (%u) inserted.
passwd chat — Sets the chat that goes on between the Samba daemon (smbd) and the Linux password program (/usr/bin/passwd by default) when smbd tries to synchronize SMB passwords with Linux user passwords.
username map — This sets the file used to map Samba user names. By default, this file is /etc/samba/smbusers.
unix password sync — With this on (Yes), Samba tries to update a user’s Linux user password with his or her SMB password when the SMB password is changed. To do this, SMB runs the passwd command as the root user. This is on by default.
guest account — Specifies the user name for the guest account. When a service is specified as Guest OK, the user name entered here will be used to access that service. The account is usually the nobody user name.
Make sure that the guest account is a valid user. (The default of nobody should already be set up to work.) With an invalid user as the guest account, the IPC$ connection that lists the shared resources fails.
hosts allow — Contains a list of one or more hosts that are allowed to use your computer’s Samba services. By default, users from any computer can connect to the Samba server (of course, they still have to provide valid user names and passwords). Usually, you use this option to allow connections from specific computers (such as 10.0.0.1) or computer networks (such as 10.0.0.) that are excluded by the hosts deny option.
hosts deny — Contains a list of one or more hosts from which users are not allowed to use your computer’s Samba services. You can make this option fairly restrictive, and then add the specific hosts and networks you want to use the Samba server. By default, no hosts are denied.
The following options help define how logging is done on your Samba server:
log level — Sets the debug level used when logging Samba activity. Raise the level from the default (0) to log more Samba activity.
log file — Defines the location of the Samba smb log file. By default, Samba log files are contained in /var/log/samba (with file names nmbd.log and smbd.log, and smb.log). In this option, the %m is replaced by the name of each host that tries to connect to the local Samba server.So, for example, for a client host named maple, the smb log file would be /var/log/samba/maple.log.
max log size — Sets the maximum amount of space, in kilobytes, that the log files can consume. By default, the value is set to 0 (no limit).
Samba always assigns the permissions level of a valid user on the Linux system to clients who use the server. In the case of share security, the user is assigned a guest account (the nobody user account by default).
If the guest account value isn’t set, Samba goes through a fairly complex set of rules to determine which user account to use. The result is that it can be hard to assure which user permissions will be assigned in each case. This is why it is recommended to use user security if you want to provide more specific user access to your Samba server.
The Socket Options option lets you pass options to the protocols Samba uses to communicate. The following options are set by default: TCP_NODELAY, SO_RCVBUF=8192, and SO_SNDBUF=8192. The first option disables Nagle’s algorithm, which is used to manage the transmission of TCP/IP packets. The other two options set the maximum size of the sockets receive buffer and send buffer to 8192, respectively. These options are set to improve performance (reportedly up to 10 times faster than without setting these options). In general, you shouldn’t change these options.
The printing option is used to define how printer status information is presented. For Fedora, the value is typically cups. You can use printing styles from other types of operating systems, such as UNIX System V (sysv), AIX (aix), HP UNIX (hpux), and Berkeley UNIX (bsd), to name a few. LPRng (lprng), offered by many UNIX systems, is also included.
A browse list is a list of computers that are available on the network to SMB services. Clients use this list to find computers that are not only on their own LAN, but also computers in their workgroups that may be on other reachable networks.
In Samba, browsing is configured by options described below and implemented by the nmbd daemon. If you are using Samba for a workgroup within a single LAN, you probably don’t need to concern yourself with the browsing options. If, however, you are using Samba to provide services across several physical subnetworks, you might want to consider configuring Samba as a domain master browser. Here are some points to think about:
Samba can be configured as a master browser. This allows it to gather lists of computers from local browse masters to form a wide-area server list.
If Samba is acting as a domain master browser, Samba should use a WINS server to help browse clients resolve the names from this list.
Samba can be used as a WINS server, although it can also rely on other types of operating systems to provide that service.
There should be only one domain master browser for each workgroup. Don’t use Samba as a domain master for a workgroup with the same name as an NT domain.
If you are working in an environment that has a mix of Samba and Windows NT servers, you should use an NT server as your WINS server. If Samba is your only file server, you should choose a single Samba server (nmbd daemon) to supply the WINS services.
A WINS server is basically a name server for NetBIOS names. It provides the same service that a DNS server does with TCP/IP domain names: it can translate names into addresses. A WINS server is particularly useful for allowing computers to communicate with SMB across multiple subnetworks where information is not being broadcast across the subnetworks’ boundaries.
To configure the browsing feature in Samba, you must have the workgroup named properly (described earlier in this section). Here are the global options related to SMB browsing.
If browsing isn’t working, check the nmbd log file (/var/log/samba/log.nmbd). To get more detail, increase the debug information level to 2 or 3 (described earlier in the "Logging options" section) and restart Samba. The log can tell you if your Samba server is the master browser and, if so, which computers are on its list.
os level — Set a value to control whether your Samba server (nmbd daemon) may become the local master browser for your workgroup. Raising this setting increases the Samba server’s chance to control the browser list for the workgroup in the local broadcast area.
If the value is 0, a Windows machine will probably be selected. A value of 65 will probably ensure that the Samba server is chosen over an NT server. The default is 20.
preferred master — Set this to Yes if you want to force selection of a master browser. By setting this to Yes, the Samba server also has a better chance of being selected. (Setting Domain Master to Yes along with this option should ensure that the Samba server will be selected.) This is set to Auto by default, which causes Samba to try to detect the current master browser before taking that responsibility.
local master — Set this to Yes if you want the Samba server to become the local browser master. (This is not a guarantee, but gives it a chance.) Set the value to No if you do not want your Samba server selected as the local master. Local Master is Auto by default.
domain master — Set this to Yes if you want the Samba server (nmbd daemon) to identify itself as the domain master browser for its workgroup. This list will then allow client computers assigned to the workgroup to use SMB-shared files and printers from subnetworks that are outside of their own subnetwork. This is set to No by default.
Use the WINS options if you want to have a particular WINS server provide the name-to- address translation of NetBIOS names used by SMB clients. As noted earlier, you probably don’t need to use a WINS server if all of the clients and servers in your SMB workgroup are on the same subnetwork. That’s because NetBIOS names can be obtained through addresses that are broadcast. It is possible to have your Samba server provide WINS services.
wins server — If there is a WINS server on your network that you want to use to resolve the NetBIOS names for your workgroup, you can enter the IP address of that server here. Again, you will probably want to use a WINS server if your workgroup extends outside of the local subnetwork.
wins support — Set this value to Yes if you want your Samba server to act as a WINS server. (It’s No by default.) Again, this is not needed if all the computers in your workgroup are on the same subnetwork. Only one computer on your network should be assigned as the WINS server.
Besides the values described here, you can access dozens more options by clicking the Advanced View button. When you have filled in all the fields you need, click Commit Changes on the screen to have the changes written to the /etc/samba/smb.conf file.
To make your shared directory available to others, you can add an entry to the SWAT window. To use SWAT to set up Samba to share directories, do the following:
You may see one or more security warnings during the course of this procedure. These messages warn you that someone can potentially view the data you are sending to SWAT. If you are working on your local host or on a private LAN, the risk is minimal.
From the main SWAT window, click the SHARES button.
Type the name of the directory that you want to share in the Create Share box, then click Create Share.
Click Advanced to change to the Advanced view.
There are a few dozen options to choose from. Here are a few that might particularly interest you:
comment — A few words to describe the shared directory (optional).
path — The path name of the directory you are sharing.
read only — If Yes, then files can only be read from this file system, but no remote user can save or modify files on the file system. Select No if you want users to be allowed to save files to this directory over the network.
guest ok — Select Yes to enable anyone access to this directory without requiring a password.
hosts allow — Add the names of the computers that will be allowed to access this file system. You can separate host names by commas, spaces, or tabs. Here are some valid ways of entering host names:
localhost — Allow access to the local host.
192.168.74.18 — IP address. Enter an individual IP address.
192.168.74. — Enter a network address to include all hosts on a network. (Be sure to put a dot at the end of the network number or it won’t work!)
maple, pine — Enable access to individual hosts by name.
EXCEPT host — If you are allowing access to a group of hosts (such as by entering a network address), use EXCEPT to specifically deny access from one host from that group.
hosts deny — Deny access to specific computers by placing their names here. By default, no particular computers are excluded. Enter host names in the same forms you used for hosts allow.
browseable — Indicates whether you can view this directory on the list of shared directories. This is on (Yes) by default.
available — Enables you to leave this entry intact, but turns off the service. This is useful if you want to close access to a directory temporarily. This is on (Yes) by default. Select No to turn it off.
Select Commit Changes.
At this point, the shared file systems should be available to the Samba client computers (Windows 9x, Windows NT, Windows 2000, OS/2, Linux, and so on) that have access to your Linux Samba server. Before you try that, however, you can check a few things about your Samba configuration.
From the SWAT window, select the STATUS button.
From this window, you can restart your smbd and nmbd processes. Likewise, you can see lists of active connections, active shares, and open files. (The preferred way to start the smbd and nmbd daemons is to set up the smb service to start automatically. Type chkconfig smb on to set the service to start at boot time.)
Although you can set up Samba through the Samba Server Configuration window or SWAT, many administrators prefer to edit the /etc/samba/smb.conf directly. As root user, you can view the contents of this file and make needed changes. If you selected user security (as recommended), you will also be interested in the smbusers and smbpasswd file (also in the /etc/samba directory). These files, as well as commands such as testparm and smbstatus, are described in the following sections.
Changes you make using the Samba Server Configuration window or SWAT Web interface are reflected in your /etc/samba/smb.conf file. Here’s an example of an smb.conf file (with comments removed):
[global] workgroup = ESTREET server string = Samba Server on Maple hosts allow = 192.168.0. printcap name = /etc/printcap load printers = yes printing = cups log file = /var/log/samba/%m.log max log size = 0 smb passwd file = /etc/samba/smbpasswd security = user encrypt passwords = Yes unix password sync = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd: *all*authentication*tokens*updated*successfully* pam password change = yes obey pam restrictions = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 username map = /etc/samba/smbusers dns proxy = no [homes] comment = Home Directories browseable = no writable = yes valid users = %S create mode = 0664 directory mode = 0775 [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes
In the [global] section, the workgroup is set to ESTREET, the server is identified as the Samba Server on Maple, and only computers that are on the local network (192.168.0.) are allowed access to the Samba service. You must change the local network to match your network.
Definitions for the local printers that will be shared are taken from the /etc/printcap file, the printers are loaded (yes), and the cups printing service (which is the default print service used by Fedora) is used.
Separate log files for each host trying to use the service are created in /var/log/samba/%m.log (with %m automatically replaced with each host name). There is no limit to log file size (0).
In this case, we are using user-level security (security = user). This allows a user to log in once and then easily access the printers and the user’s home directory on the Linux system. Password encryption is on (encrypt passwords = yes) because most Windows systems have password encryption on by default. Passwords are stored in the /etc/samba/smbpasswd file on your Linux system.
The dns proxy = no option prevents Linux from looking up system names on the DNS server (used for TCP/IP lookups).
The [homes] section allows each user to be able to access his or her Linux home directory from a Windows system on the LAN. The user will be able to write to the home directory. However, other users will not be able see or share this directory. The [printers] section allows all users to print to any printer that is configured on the local Linux system.
Doing user-style Samba security means assigning a Linux user account to each person using the Linux file systems and printers from his or her Windows workstation. (You could assign users to a guest account instead, but in this example, all users have their own accounts.) Then you need to add SMB passwords for each user. For example, here is how you would add a user whose Windows 98 workstation login is chuckp:
Type the following as root user from a Terminal window to add a Linux user account:
# useradd -m chuckp
Add a Linux password for the new user as follows:
# passwd chuckp Changing password for user chuckp New UNIX password: ******** Retype new UNIX password: ********
Repeat the previous steps to add user accounts for all users from Windows workstations on your LAN that you want to give access to your Linux system to.
Type the following command to create the Samba password file (smbpasswd):
# cat /etc/passwd | /usr/bin/mksmbpasswd.sh > /etc/samba/smbpasswd
Add an SMB password for the user as follows:
# smbpasswd chuckp New SMB password: ********** Retype new SMB password: **********
Repeat this step for each user. Later, each user can log in to Linux and rerun the passwd and smbpasswd commands to set private passwords.
In the most recent version of Samba, options are available in the smb.conf file that cause SMB and Linux passwords to be synchronized automatically. See descriptions of the passwd program, passwd chat, and UNIX password sync options in the SWAT section of this chapter.
To start the Samba SMB and NMB daemons, you can run the /etc/init.d/smb start-up script by typing the following as the root user:
# service smb start
This runs the Samba service during the current session. To set up Samba to start automatically when your Linux system starts, type the following:
# chkconfig smb on
This turns on the Samba service to start automatically in run levels 3, 4, or 5. You can now check SMB clients on the network to see if they can access your Samba server.
You can run several commands from a shell to work with Samba. One is the testparm command, which you can use to check the access permissions you have set up. It lists global parameters that are set, along with any shared directories or printers.
The smbstatus command can view who is currently using Samba shared resources offered from your Linux system. The following is an example of the output from smbstatus:
Samba version 3.0.3-4 PID Username Group Machine ------------------------------------------------------------------- Service pid machine Connected at ------------------------------------------------------- IPC$ 10865 shuttle Thu May 13 15:12:13 2004 tmp 10866 shuttle Thu May 13 15:12:14 2004 tmp 10874 10.0.0.218 Thu May 13 15:18:01 2004 Locked files: Pid DenyMode Access R/W Oplock Name -------------------------------------------------------------- 10874 DENY_FCB 0x3 RDWR NONE /tmp/.m.swp Thu May 13 15:18:20 2004 10874 DENY_NONE 0x1 RDWR NONE /tmp/m Thu May 13 15:18:30 2004
This output shows that from your Linux Samba server, the tmp service (which is a share of the /tmp directory) is currently open by the computer named shuttle. PID 10874 is the process number of the smbd daemon on the Linux server that is handling the service. The files open are the /tmp/m and /tmp/.m.swap, which happen to be opened by a vi command. Both have read/write access.
Once you have configured your Samba server, you can try using the shared directories from a client computer on your network. The following sections describe how to use your Samba server from another Linux system or from various Windows systems.
There are several methods of connecting to shared directories from your Samba client. The following sections address these methods.
To connect to a Samba share from Nautilus, use the Open Location box by clicking File ® Open Location. Then type smb: into your Nautilus file manager Open Location box.
A list of SMB workgroups on your network appears in the window. You can select a workgroup, choose a server, and then select a resource to use. This should work for shares requiring no password.
The Nautilus interface seems to be a bit buggy when you need to enter passwords. Also, it requires you to either send clear-text passwords or type the user and password into your location box. For example, to get to my home directory (/home/chris) through Nautilus, I can type my user name, password, server name, and share name as follows:
Linux can view your Samba shared directories as it does any other medium (hard disk, NFS shares, CD-ROM, and so on). Using the mount command, you can mount a Samba shared file system so that it is permanently connected to your Linux file system.
The following example of the mount command shows how I would mount my home directory (/home/chris) from a computer named toys on a local directory (/mnt/toys). As root user, from a Terminal window, type:
# mkdir /mnt/toys # mount -t smbfs -o username=chris,password=a72mg //toys/chris /mnt/toys
The file system type for a Samba share is smbfs (-t smbfs). I pass the username (chris) and password (a72mg) as options (-o). The remote share of my home directory on toys is //toys/chris. The local mount point is /mnt/toys. At this point, you can access the contents of /home/chris on toys as you would any file or directory locally. You will have the same permission to access and change the contents of that directory (and its subdirectories) as you would if you were the user chris using those contents directly from toys.
To mount the Samba shared directory permanently, you can add an entry to your /etc/fstab file. For the example just described, you could add the following line (as root user):
//toys/chris /mnt/toys smbfs username=chris,password=a72mg
While using a Windows system, to see the file and print services available from your Linux Samba server (as well as from other computers on the network), open the Network Neighborhood window. To open the window, double-click the Network Neighborhood icon on the Windows 95 desktop. Figure 18-6 shows an example of the Network Neighborhood window for a small LAN.
Figure 18-6: View your Linux Samba server from the Network Neighborhood window.
The Network Neighborhood window shows the computers that Windows found on your network. If your server appears on the screen (in my case, the server’s name is pine), double- click it. Otherwise, you may need to double-click Entire Network, and then open the workgroup that your server is a part of to find your server. The server should show two kinds of resources:
Printers — A name and a printer icon should represent each printer shared from the server. To access a printer, double-click it. Windows will have you set up the printer for your computer. After that, you can print with it as you would any local printer.
Directories — A name and folder icon should represent shared directories from the server. Open the directory to see the files and folders in that directory.
Double-click a folder to view the contents of that folder. At this point, you may receive a request to enter a password. Type the password and click OK. You should be able to view the contents of the folder, and its subfolders, at this time.
If you plan to use the directory often, you may want to assign a drive letter to it. Right-click the folder icon, then select Map Network Drive. Select a drive from the list and, if you like, choose Reconnect at logon to have it available when you log on. Then click OK.
If the file server that you are looking for does not appear in your Network Neighborhood, you can try to search for it. Choose Start ® Find ® Computer. Type the name of the computer to search for, and then select Find Now. If the computer name appears, double-click it. A window should open, displaying the shared directories and printers from the server.
Alternatively, you can also create an lmhosts file to help your Windows 95 computer find your Linux Samba server. Copy the sample C:\windows\lmhosts.sam file to C:\windows\lmhosts. Then edit the file to add the host names and IP addresses of the SMB servers on your network.
A lot can go wrong with a Samba server. If your Samba server isn’t working properly, the descriptions in this section should help you pinpoint the problem.
Before computers can share directories and printers from Samba, they must be able to communicate on your LAN. Refer to Chapter 15 for information on setting up a LAN.
In Samba, your Samba server can use the TCP/IP name as the NetBIOS name (used by Window networks for file and printer sharing), or a separate NetBIOS name can be set in the smb.conf file. It is critical, however, that the broadcast address be the same as those for all clients communicating with your Samba server. To see your broadcast address, type the following:
$ ifconfig -a eth0 Link encap:Ethernet HWadd 00:D1:B3:75:A5:1B inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0
The important information is the broadcast address (Bcast: 10.0.0.255). This is determined by the netmask (Mask:255.255.255.0). If the broadcast address isn’t the same for the Samba server and the clients on the LAN, the clients cannot see that the Samba server has directories or printers to share.
First, try the smbclient command from your Linux system to check that everything is running and being shared as you expect it to be. The smbclient command is a great tool for getting information about a Samba server and even accessing shared directories from both Linux and Windows computers. While logged in as root or any user who has access to your Samba server, type the following:
$ smbclient -L localhost Password: ********** Domain=[ESTREET] OS=[Unix] Server=[Samba 3.0.3-4] Sharename Type Comment --------- ---- ------- homes Disk Home Directories IPC$ IPC IPC Service (Samba Server) ADMIN$ Disk IPC Service (Samba Server) hp-ns1 Printer Domain=[ESTREET] OS=[Unix] Server=[Samba 3.0.3-4] Server Comment --------- ------- PINE Samba Server MAPLE Windows XP NS1 Samba Server Workgroup Master --------- ------- ESTREET PINE
This shows that the Samba server is running on the local computer. Shared directories and printers, as well as servers in the workgroup, appear here. If the Samba server is not running, you will see Connection refused messages. You need to start the Samba service as described in the "Starting the Samba service" section earlier in this chapter.
If the Samba server is running, it should begin broadcasting its availability on your LAN. If you try to access the server from a Windows or Linux client on your LAN, but get a Connection refused error, the problem may be that the firewall on your Linux Samba server is denying access to the NetBIOS service. If you have a secure LAN, you can type the following (as root user) to flush your firewall rules temporarily:
# iptables -F
Then, try to connect to the Samba Server from a Windows or Linux client. If you find that you can connect to the server, turn the firewall back on:
# service iptables restart
You then need to open access to ports 137, 138, and 139 in your firewall so that the Samba server will be able to accept connections for services. (See Chapter 14 for information on modifying your firewalls.)
Try accessing a shared Samba directory as a particular user (from the local host or other Linux system on your LAN). You can use the smbclient command to do this. Here’s an example:
# smbclient //localhost/tmp -U chris added interface ip=10.0.0.1 bcast=10.0.0.255 nmask=255.255.255.0 Password: ******* Domain=[ESTREET] OS=[Unix] Server=[Samba 2.2.7a] smb: \>
In this example, smbclient connects to the directory share named tmp as the Samba user named chris. If the password is accepted, you should see information about the server and a smb:\> prompt. If you cannot access the same shared directory from a Windows client, it’s quite possible that the client is passing an improper user name and password. Part of the problem may be that the Windows client is not providing encrypted passwords.
For certain Windows clients, using encrypted passwords requires that you change a Windows registry for the machine. One way to change the registry is with the Windows regedit command. Registry changes required for different Windows systems are contained within the /usr/share/doc/samba-*/docs/registry directory.
The smbclient command, used here to list server information and test passwords, can also be used to browse the shared directory and copy files after you are connected. After you see the smb:\> prompt, type help to see the available commands. The interface is similar to any ftp client, such as sftp.